Neural networks: Simulate human brain operaion with neurons and synapse between them
clustering and out lier detection: Group the observed data into clusters then identify subsequent data as either belonging to cluster or as an outlier.
Limitations of Anomaly Detection
They are generally trained on legitimate data
This limits the effectiveness of some of the techniques discussed.
Relatively high false positive rate anomalies can just be new normal activities
Detect intrusion by:
– observing events in the system
– applying a set of patterns or rules to the data
– determining if the is intrusive or normal
Signature Approaches
– match a large collection of known patterns of malicious data against data stored on system or in transit over a network
– the signature need to be large enough to minimize the false alarm rate, while still detecting a sufficiently large fraction of malicious data
– Widely used in anti-virus products, network traffic scanning proxies, and in NIDS
Signature Approach
-Advantages:
low cost in time and reource use
Wide acceptance
-Disadvantages:
significant effort to identify and review new malware to create signatures
inability to detect zero-day attacks
Rule-Based Detection
-involves the use of rules for identifying known penetrations or penetraions that would exploit known weakness
-Rules can also defined that identify suspicious behavior
-Typically rules used are specific
